Protecting Natural RPC Servers and Services

This section describes the various aspects of Natural remote procedure call protection; it covers the following topics:

For general information about Natural remote procedure calls, please refer to the Natural RPC documentation.


RPC Service Requests

In a client/server environment, you can use Natural Security to protect the use of Natural remote procedure calls. You can protect Natural RPC servers as well as the way in which Natural RPC service requests issued by clients are handled.

An RPC service request is a request from a client to a Natural RPC server for a Natural subprogram to be invoked which is located in a library on the server.

When a remote CALLNAT is executed, and the Natural RPC Logon Option is set on the client, the following data are passed to the Natural RPC server for validation:

  • the name of the subprogram to be invoked;

  • the ID of the library on the server which contains the subprogram to be invoked;

  • the Natural RPC user ID and password (that is, the Natural user ID and password supplied with the Natural RPC service request);

  • the EntireX user ID (validation depends on Logon Option; see below).

See also the section Using Security in the Natural RPC documentation.

RPC Server Settings in Natural

The following Natural profile parameters on a Natural RPC server should be reviewed if the server is to be protected by Natural Security:

Profile Parameter Explanation
RPC

The settings for a Natural session which is started as a Natural RPC server are determined by the Natural profile parameter RPC. For a server to be protected by Natural Security, two subparameters of the RPC profile parameter are of particular relevance: SRVNAME and LOGONRQ.

SRVNAME specifies the name of the server. This is the name which has to be used as the ID for a corresponding security profile.

LOGONRQ determines whether the server is to accept only secured service requests or both public and secured service requests:

  • A public request is a service request whose Natural RPC user ID and password are not validated; instead, the user ID which was used to start the server session (as contained in the Natural system variable *USER) will be used for the service request.

  • A secured request is s service request whose Natural RPC user ID and password are validated.

For a server to be protected by Natural Security so that only secured requests are accepted, set the LOGONRQ subparameter to ON.

FSEC

With the profile parameter FSEC, you determine the FSEC system file to be associated with the Natural RPC server.

ETID

If you start the server session and specify an actual value with the profile parameter ETID, all service requests to the server will use the same specified ETID.

If you start the server session with the profile parameter ETID=' ' (blank), no ETID can be supplied by Natural Security.

If you start the server session with the profile parameter ETID=OFF, the ETIDs to be used by the service requests will be determined by the setting of the ETID option in the security profile of the RPC server (see Components of an RPC Server Profile below). By setting this option to "S" (or "F"), you can ensure an ETID handling, with appropriate database open/close processing, which allows you to uniquely identify each service request's database transactions.

If you start a server with replicas, the ETID parameter must be set to OFF or ' ' (blank).

AUTO

The profile parameter AUTO (automatic logon) is only evaluated when the server session is started. For subsequent service requests to the running server, the AUTO parameter is ignored.

If you start the server session with AUTO=OFF, you should assign a library via the profile parameter STACK=(LOGON library-ID ,...)

RPC Server Settings in Natural Security

Generally, the Natural Security user profiles and library profiles on the FSEC system file assigned to the Natural RPC server session determine the access rights to the requested library on the server.

Specifically for the protection of Natural RPC servers, Natural Security provides the following options:

  • In the security profile of a library, you can set various options which apply when the library is accessed via a Natural RPC service request. These options are described under Natural RPC Restrictions in the section Library Maintenance.

  • You can define security profiles for Natural RPC servers, as described below in the section Security Profiles for Natural RPC Servers.

  • In the Library Preset Values section of Administrator Services, you can set various Natural RPC Server Session Options, which control the logon to libraries via Natural RPC service requests.

Validation of an RPC Service Request

This section covers the following topics:

Supported RPC Server Situations

The following situations are supported by Natural Security:

  • Natural RPC server protected by Natural Security only: The Natural RPC user ID is validated.

  • Natural RPC server protected by Natural Security and EntireX Security: The Natural RPC user ID and the EntireX user ID are validated.

Security Data to Be Supplied by the Client

Natural Clients

Security data are supplied by the Natural client if the Natural RPC Logon Option is set. In this case the following applies:

  • The Natural RPC user ID and password to be used for the service request have to be specified via the Natural application programming interface USR1071N (contained in the library SYSEXT). To ensure that this user ID and password are available when needed, executing USR1071N should be one of the first tasks performed by an application on the client. If USR1071N is not executed and the client runs under Natural Security, the user ID and password from the Natural Security logon on the client are used instead.

    If the Impersonation option is set to "A" in the RPC server security profile and the server has been started with ETID=OFF, the user ID on the client is specified via the Natural application programming interface USR4371N (contained in the library SYSEXT). In addition, USR4371N can be used to set the ETID for the service request.

  • The EntireX user ID is supplied via the Natural application programming interface USR2071N.

  • The library ID to be used for the service request has to be specified via the Natural application programming interface USR4008N (contained in the library SYSEXT). If USR4008N is not executed, the ID of the client library in which the CALLNAT statement was executed is used instead.

Note:
If the Natural RPC passwords used for a service request may contain special characters, make sure that the Natural character translation tables NTTABA1 and NTTABA2 on the Natural RPC server have been adjusted accordingly.

Non-Natural Clients

Please refer to the client's remote procedure call documentation for information on how to supply the required security data with an RPC service request issued by a non-Natural client to a

  • Natural RPC server protected by Natural Security;

  • Natural RPC server protected by Natural Security and EntireX Security.

Impersonation

For user authentication on the Natural RPC server, two modes are possible:

  • validation with impersonation,

  • validation without impersonation.

Impersonation assumes that access to the operating system on which a Natural RPC server is running is controlled by an SAF-compliant external security system. User authentication (verification of the Natural RPC user ID and - optionally - the password) is performed by this external security system. Impersonation means that after the authentication has been successful and the user's identity is established, any subsequent authorization checks will be performed based on this identity. This includes authorization checks for access to external resources (for example, databases or work files).

Impersonation is only possible if the Natural RPC server runs under z/OS in batch mode, or under CICS. Impersonation can be used if an SAF-compliant external security system is used, and user authentication is to be performed by this external security system.

Impersonation is activated by the Impersonation setting in the security profile of the Natural RPC server (see Components of an RPC Server Profile below).

Validation on the Natural RPC Server

Validation Without Impersonation

If impersonation is not active for the Natural RPC server, Natural Security will perform a logon to the requested library, using the Natural RPC user ID. The logon is performed according to the Natural Security logon rules and the security settings defined on the FSEC system file associated with the server.

One check performed during the logon is based on the evaluation of the Natural RPC Restrictions > Logon Option in the security profile of the requested library. This option determines whether only the Natural RPC user ID or both the user ID and the password are to be verified by the Natural Security logon procedure:

  • If the Logon Option is set to "N" or "E", both the user ID and the password are verified.

  • If the Logon Option is set to "A" or "S", only the user ID is verified - assuming that the password has already been verified (similiar to the Natural profile parameter AUTO=ON).

  • In addition, if the Logon Option is set to "E" or "S", Natural Security checks if the Natural RPC user ID is identical to the EntireX user ID. If both IDs are not identical, the service request will be rejected.

After a successful logon, the requested subprogram will be executed.

If the processing of the service request includes an access to an external resource (for example, a database or work file), the external user ID which was used to start the Natural RPC server will be used to check the authorization for such an access.

Validation With Impersonation

Impersonation can be used if the user authentication is performed by an SAF-compliant external security system.

If impersonation is active for the Natural RPC server, the Natural server front-end passes the Natural RPC user ID and password (or the user ID only) to the external security system for verification.

After a successful user authentication by the external security system, Natural Security will perform a logon to the requested library. For this logon, Natural Security uses the Natural RPC user ID, but will not perform any password verification for this user. The logon is performed according to the Natural Security logon rules and the security settings defined on the FSEC system file associated with the server.

One check performed during the logon is based on the evaluation of the Natural RPC Restrictions > Logon Option in the security profile of the requested library: If the Logon Option is set to "E" or "S", Natural Security checks if the Natural RPC user ID is identical to the EntireX user ID. If both IDs are not identical, the RPC service request will be rejected.

After a successful logon, the requested subprogram will be executed.

If the processing of the service request includes an access to an external resource (for example, a database or work file), the Natural RPC user ID will be used to check the authorization for such an access.

Logon Mode

If you use a Natural RPC server which provides services performed by subprograms contained in a single library, you can use the Logon Mode option in the security profile of the Natural RPC server to improve performance. This reduces the number of database accesses to the Natural Security system file FSEC.

The library on the server is set at the start of the server session, and will remain unchanged until the end of the server session. Service requests for any other library will be rejected. If the library is unprotected (People-protected = N), the user's authorization to access the library is not checked. If the library is protected (People-protected=Y), the user's authorization to access the library is checked. After a successful check, the user's conditions of use of the library are determined by the library profile. Even if a special link exists between the user and the library, any settings in the special-link profile will be ignored.

Note:
When you set Logon Mode to "S" to improve performance, please be aware that other Natural Security settings also influence performance, in particular the Logon recorded option in user and library profiles. Morever, the performance of ETID-triggered handling of database transactions cannot be optimized.

Summary of Checks Based on Settings in Security Profiles

This section summarizes the checks which are performed by Natural Security depending on settings in security profiles when a service request is issued to a Natural RPC server. The following steps are performed:

  1. User authentication is performed (see the section Validation on the Server above).

  2. RPC server profile > the Logon Mode option is evaluated at the start of the Natural RPC server session (see the section Logon Mode above).

  3. Library profile > General Options > the People-protected option is evaluated.

  4. Library profile > Natural RPC Restrictions > the Logon Option is evaluated (see the section Validation on the Server above): Depending on its setting, it is checked whether the Natural RPC user ID is identical to the EntireX user ID.

  5. RPC server profile > the Service Protection option is evaluated at the start of the Natural RPC server session.

Security Profiles for Natural RPC Servers

Default Profile

The installation procedure of Natural Security automatically creates a default security profile with the server ID "*". This profile applies to all Natural RPC servers for which no individual security profiles are defined. You can change the settings in this default profile to suit your requirements.

Note:
Should there be no default RPC server profile "*" in your FSEC system file (this may be the case because the file was not available at the installation), execute the program NSCRPCAC in the library SYSSEC. This program creates the default server profile.

Asterisk Notation for Server IDs

If you do not wish to define a security profile for every single server, you can use asterisk notation for the server ID: If you create a server security profile an choose as server ID a character string followed by an asterisk (*), the profile will apply to all servers whose IDs begin with that character string. For an individual server within such a range, you may still define an individual security profile.

For example, if you defined a server security profile with the ID "A*", it would apply to all servers whose IDs begin with "A" (such a ARPC1, AA01, ABC, ADE etc.). A profile with the ID "ABC*" would in turn apply to, for example, ABCA, ABCXYZ etc.

Server Profile Components and Functions

The components of server security profiles and the functions used to create and maintain them are described below.

Some Natural Security functions use the code RP to represent the object type "Natural RPC servers".

Components of an RPC Server Profile

The following type of screen is the primary profile screen which is displayed when you invoke one of the functions Add, Copy, Modify, Display for the security profile of a Natural RPC server:

11:55:00                    *** NATURAL SECURITY ***                 2017-12 31
                            - Modify NatRPC Server -                        
                                                                             
                                             Modified .. 2017-12-31 by SAG
                                                                               
NatRPC Server ... RPCS01
Description ..... __________________________________

           
--------------- Options -------------                          
Impersonation ............ (N,Y,A): Y  
Lock User ................ (N,X,*): X
ETID ................. (N,*,S,F,C): S     
Logon Mode ................. (N,S): S 
Domain separator .................: _                  
Service protection ......... (R,*): *             
              
                  
                            
Additional Options ... N                       
                                                                               
                                        
Enter-PF1---PF2---PF3---PF4---PF5---PF6---PF7---PF8---PF9---PF10--PF11--PF12---
      Help  PrevM Exit  AddOp       Flip                                Canc

The individual items you may define as part of a Natural RPC server's security profile are explained below.

Field Explanation
Impersonation Impersonation is only relevant if an SAF-compliant external security system is used for user authentication. Impersonation is described above under Validation of an RPC Service Request. This option activates impersonation for the server:
N   Impersonation is not active.
Y   Impersonation is active - with verification of the user ID and the password.
A Impersonation is active - with verification of the user ID, but not the password.
Impersonation is only possible if the server runs under z/OS in batch mode, or under CICS. If it does not, the setting of this option will be ignored.
Lock User This option only applies to libraries in whose security profiles the Lock User option (in the Natural RPC Restrictions section of the library profile) is set to "*". For these libraries, it controls the locking of users when they attempt to access these libraries on the server via Natural RPC service calls:
N The Lock User feature is not active.
X The Lock User feature is active for access attempts to libraries on the server via Natural RPC service calls. Once a user has reached the maximum number of logon attempts without supplying the correct password, he/she will be locked, that is, the user ID will be made "invalid". Natural Security "remembers" unsuccessful attempts across sessions: The error counters for the client user IDs which were tried out unsuccessfully are kept for access attempts in subsequent sessions, thus reducing the number of subsequent attempts with these IDs. The error counter for a user ID is only reset after a successful logon.
* The value of the Lock user option in the Library Preset Values of Administrator Services determines whether or not the Lock User feature is active for access attempts to libraries via Natural RPC service calls.
For details on the Lock User feature, see also the Lock User Option in the General Options section of Administrator Services.
ETID

This option only applies to secured service requests passed from Natural clients to the Natural RPC server. It determines which ETIDs are to be used for these clients during the server session:

N

The Default ETID as defined in the user security profile of the Natural client determines the ETID to be used.

S

A time-stamp-related ETID will be generated for every service request that accesses the Natural RPC server under the control of Natural Security. The ETID is generated when the server is accessed, and will remain in effect until the service request has been processed. Logons to the server are recorded.

For information on time-stamp-related ETIDs, see also ETID under User Preset Values in Administrator Services.

F

Same as "S", except that logons to the Natural RPC server are not recorded.

C

The ETID is supplied by the client, using as ETID the password value provided by the application programming interface USR1071N (see also Security Data to be Supplied by the Client) . ETID=C is only possible if the field Impersonation is set to "A".

*

The setting of the ETID option in the User Preset Values, which applies to the user security profile, will determine the ETID to be used.

If this option is set to any value other than "N", it is recommended that the RPC server session be started with the Natural profile parameter ETID=OFF.

For public service requests, this option has no effect; for them, the ETID of the Natural RPC server, as established at the start of the server session, is used.

Logon Mode This option can be used if only one library on the Natural RPC server is accessed:
N

No special logon mode applies.

S

Static Mode applies: The library on the Natural RPC server is set at the start of the server session. It will remain unchanged until the end of the server session. The server will only process service requests for this one library. Any service request with a different library ID will be rejected.

If this option is set, the conditions of use of the library are determined by the library profile. Even if a special link exists between the user and the library, any special-link profile will be ignored.

Provided that the Natural RPC server provides services performed by subprograms contained in a single library, you can use this option to improve performance.

See also Validation of an RPC Service Request above.

Domain Separator This field is only relevant if
  • your external security system uses a so-called "domain separator" character to separate the domain name from the user ID, and

  • the Logon Option in the security profile of the requested library is set to "E" or "S", which means that it is checked whether the Natural RPC user ID is identical to the EntireX user ID.

The ensure that this check is performed correctly, you have to specify the domain character in this field: The check is then applied to the first 8 characters after the domain separator.

Service Protection This option is used to restrict access to the Natural RPC server:
* Access is not restricted: All users may access the server.
R Access is restricted: Only users who are linked to the server profile may access the server. In addition, you can restrict the access to be possible only via specific services (subprograms). See Allowing/Disallowing Services for further information.
Before you can reset this field from "R" to "*", you have to delete the list of allowed services you may have specified via Allowing/Disallowing Services.

Additional Options

If you either mark the field Additional Options with "Y" or press PF4, a window will be displayed from which you can select the following options:

  • Maintenance Information

  • Security Notes

  • Owners

The options for which something has already been specified or defined are marked with a plus sign (+).

You can select one or more items from the window by marking them with any character. For each item selected, an additional window will be displayed:

Additional Option Explanation
Maintenance Information
(display only)
In this window, the following information is displayed:
  • the date and time when the security profile was created, the ID of the administrator who created it, and (if applicable) the IDs of the co-owners who countersigned for the creation;

  • the date and time when the security profile was last modified, the ID of the administrator who made the last modification, and (if applicable) the IDs of the co-owners who countersigned for the modification.

Security Notes   In this window, you may enter your notes on the security profile.
Owners   In this window, you may enter up to eight IDs of administrators. Only the administrators specified here will be allowed to maintain this server security profile.

If no owner is specified, any user of type "Administrator" may maintain the security profile.

For each owner, the number of co-owners whose countersignatures will be required for maintenance permission may optionally be specified in the field after the ID.

For information on owners and co-owners, see the section Countersignatures.

Creating and Maintaining RPC Server Profiles

This section describes the functions used to create and maintain security profiles for Natural RPC servers. It covers the following topics:

Invoking Maintenance for Natural RPC Servers

Start of instruction setTo invoke Natural RPC server maintenance:

  1. On the Main Menu, select Maintenance.

    A window will be displayed.

  2. In the window, mark the object type Natural RPC Server with a character or with the cursor.

    The Natural RPC Server Maintenance selection list will be displayed.

  3. From this selection list, you invoke all Natural RPC server maintenance functions as described below.

Adding a New Server Profile

To define a Natural RPC server to Natural Security, you create a security profile for it.

Start of instruction setTo do so:

  1. In the command line of the Natural RPC Server Maintenance selection list, enter the command ADD.

  2. A window will be displayed in which you enter an ID for the server.

    This ID corresponds to the server name as specified with the Natural profile parameter RPC (see RPC Server Settings in Natural above), and must conform to the naming conventions for Natural RPC servers. Asterisk notation for the server ID is possible, as described under Security Profiles for Natural RPC Servers above.

  3. After you have entered a valid ID, the Add Natural RPC Server screen will be displayed.

    The items you may define on this screen and any additional windows that may be part of a server security profile are described under Components of an RPC Server Profile.

When you add a new server profile, the owners specified in your own user security profile are automatically copied into the server security profile.

Selecting Existing Server Profiles for Processing

When you invoke Natural RPC Server Maintenance, a list of all Natural RPC server profiles that have been defined to Natural Security will be displayed.

If you do not want a list of all existing profiles, but wish only certain servers to be listed, use the Start Value option as described in the section Finding Your Way In Natural Security.

On the Main Menu, select Maintenance. A window will be displayed.

In the window, mark the object type Natural RPC Server with a character or with the cursor (and, if desired, enter a start value). The Natural RPC Server Maintenance selection list will be displayed:

 14:34:42                    *** NATURAL SECURITY ***                 2017-12-31
                          - NatRPC Server Maintenance -             FSEC (47,11)
                                                                                
 Co NatRPC Server                    Description           P Message            
 __ ________________________________ _____________________ _ ___________________
 __ A_NATRPC_SERVER_PAYROLL          Department Duckville  R                    
 __ ADE_RPC                          Arch. Department Ge.. R                    
 __ BEST_SERVER                      Third party logistics R                    
 __ DOBANCO_SRV1                     Credit transfer Ban.. R                    
 __ EMPLOYEES_SRV1                   Headquarter Server P1 *                    
 __ ESSENHEIM_SRV1                   Location Essenheim    R                    
 __ NATURAL_RPC_SERVER_NAME_32_BYTES Test SRVNAME          *                    
 __ RPC_TIME                         8 * 7 Support         R                    
 __ RPC_TIME_LONG_LIFE               24 * 7 Support        *                    
 __ RPC_TIME_LONG_LIFE_B             24 * 7 Support Backup *                    
 __ TEST_SRV0                        QA env. 1             *                    
 __ TEST_SRV1                        QA env. 2             R                    
 __ TEST_SRV2                        QA env. 3             *                    
 __ UHE_SRV                          Developer Test env.   *                    
 __ WWESRV                                                 *                    
 Command ===>                                                                   
 Enter-PF1---PF2---PF3---PF4---PF5---PF6---PF7---PF8---PF9---PF10--PF11--PF12---
       Help        Exit              Flip  -     +                       Canc   

For each server, the server ID is displayed.

The list can be scrolled as described in the section Finding Your Way In Natural Security.

Selecting a Function

The following maintenance functions are available for Natural RPC server profiles (possible code abbreviations are underlined):

Code Function
CO Copy server profile
MO Modify server profile
RE Rename server profile
DE Delete server profile
DI Display server profile
LU Link users to server profile

To invoke a function for a server profile, mark the server with the appropriate function code in column Co.

You may select various server profiles for various functions at the same time; that is, you can mark several servers on the screen with a function code. For each server marked, the appropriate processing screen will be displayed. You may then perform the selected functions for one server profile after another.

Copying a Server Profile

The Copy Server Profile function is used to define a new Natural RPC server to Natural Security by creating a security profile which is identical to an already existing Natural RPC server security profile.

What is Copied?

All components of the existing security profile will be copied into the new security profile - except the owners (these will be copied from your own user security profile into the new server security profile).

Any links from users to the existing server will not be copied.

Start of instruction setTo copy a server profile:

  1. On the Natural RPC Server Maintenance selection list, mark the server whose security profile you wish to duplicate with function code CO.

  2. A window will be displayed in which you enter the ID of the new server.

    The ID corresponds to the server name as specified with the Natural profile parameter RPC (see RPC Server Settings in Natural above), and must conform to the naming conventions for Natural RPC servers. Asterisk notation for the server ID is possible, as described under Security Profiles for Natural RPC Servers above.

  3. After you have entered a valid ID, the new security profile will be displayed.

    Its components which you may define or modify are described under Components of an RPC Server Profile.

Modifying a Server Profile

The Modify Server Profile function is used to change an existing Natural RPC server security profile.

Start of instruction setTo do so:

  1. On the Natural RPC Server Maintenance selection list, mark the server whose security profile you wish to change with function code MO.

  2. The security profile of the selected server will be displayed.

    Its components which you may define or modify are described under Components of an RPC Server Profile.

Renaming a Server Profile

The Rename function allows you to change the server ID of an existing Natural RPC server security profile.

Start of instruction setTo do so:

  1. On the Natural RPC Server Maintenance selection list, mark the server whose ID you wish to change with function code RE.

  2. A window will be displayed in which you enter a new ID for the server profile.

    The ID corresponds to the server name as specified with the Natural profile parameter RPC (see RPC Server Settings in Natural above), and must conform to the naming conventions for Natural RPC servers. Asterisk notation for the server ID is possible, as described under Security Profiles for Natural RPC Servers above.

Deleting a Server Profile

The Delete Server Profile function is used to delete an existing Natural RPC server security profile.

Start of instruction setTo do so:

  1. On the Natural RPC Server Maintenance selection list, mark the server whose profile you wish to delete with function code DE.

  2. The Delete Server Profile window will be displayed.

    • If you decide against deleting the server security profile, leave the window by pressing ENTER without having typed in anything.

    • To delete the server security profile, enter the server ID in the window to confirm the deletion.

If you mark more than one server profile with DE, a window will be displayed in which you are asked whether you wish to confirm the deletion of each server security profile with entering the server ID, or whether all server profiles selected for deletion are to be deleted without this individual confirmation. Be careful not to delete a server profile accidentally.

Displaying a Server Profile

The Display Server Profile function is used to display an existing Natural RPC server security profile.

Start of instruction setTo do so:

  • On the Natural RPC Server Maintenance selection list, mark the server whose security profile you wish to view with function code DI.

    The security profile of the selected server will be displayed.

    Its components are explained under Components of an RPC Server Profile.

Allowing/Disallowing Services

If access to a Natural RPC server is restricted by the option Service Protection in the server profile (see Components of an RPC Server Profile), you use the functions described below to allow/disallow users access to services (subprograms) on the server.

You can:

Allow/Disallow via RPC Server Maintenance or User Maintenance

Start of instruction setTo allow/disallow a service:

  1. On the Natural RPC Server Maintenance selection list, mark the desired server with function code LU. This is only possible for servers in whose security profiles Service Protection is set to "R" (as indicated by the column "P" on the selection list).

    A window will be displayed in which you specify if the list of users to be displayed is to contain all users (U), only linked users (L), or only user who are not linked (N).

    Then the list of users will be displayed.

    Or:
    On the User Maintenance selection list, mark the desired user (user type A, P or G) with function code LR.

    A list of all servers with Service Protection set to "R" will be displayed.

  2. The lists can be scrolled as described in the section Finding Your Way In Natural Security.

  3. In the Co column, mark each user/server with one of the following function codes:

Code Function
*A   Allow access - The user may access the server. The access is not restricted to specific subprograms (apart from disallowed modules; see below).
RA   Restrict access - The user can access the server only via explicitly allowed services (subprograms).

The use of certain subprograms in a library can be restricted generally via the Disallow/Allow Modules section of a library or special-link profile. These restrictions apply within and without an RPC server context. That is, if a subprogram is disallowed in the library or special-link profile, it cannot be allowed in an RPC server context.

However, you can further restrict access to subprograms in an RPC server context. Access to the server is then only possible via the subprograms explicitly allowed: If you mark a user with function code RA, a window will be displayed, and you allow a subprogram by specifying its subprogram and library ID.

If there already are allowed subprograms, a list of these subprograms will be displayed:

  • To allow further subprograms, press PF5. A window will be displayed in which you specify the desired subprogram and library ID (for a selection list of library IDs, you can enter an asterisk (*)).

  • To disallow a subprogram, mark it with DE on the list.

DA   Disallow access - The user cannot access the server.

Allow/Disallow via Library Maintenance

Start of instruction setTo allow/disallow a service:

  1. On the Library Maintenance selection list, mark the desired library with function code RA.

  2. A window will be displayed in which you specify:

    • "U" to get a list of all users (user types A, P and G) who may use the library (if the library is people-protected = Y, the list contains only users who are linked to it); or

    • "R" to get a list of all RPC servers in whose security profiles Service Protection is set to "R".

    The lists can be scrolled as described in the section Finding Your Way In Natural Security.

Start of instruction setIf you selected "U", proceed as follows:

  1. On the list of users, mark a user with RA.

  2. A list of all servers in whose security profiles Service Protection is set to "R" will be displayed.

    Mark a server with the function code RA.

  3. A list of all services (subprograms) in the library which the user is allowed to access will be displayed.

    • To allow further services, press PF5. A window will be displayed in which you specify the desired subprogram.

    • To disallow a service, mark it with DE on the list.

Start of instruction setIf you selected "R", proceed as follows:

  1. On the list of servers, mark a server with the function code RA.

  2. A list of all users (user types A, P and G) and the services (subprograms) in the library which they are allowed to access will be displayed.

    • To allow further services, press PF5. A window will be displayed in which you specify the desired user ID and subprogram (for a selection list of user IDs, you can enter an asterisk (*)).

    • To disallow a service, mark it with DE on the list.

Other RPC-Related Features

User Exit LOGONEX4

The Natural Security user exit LOGONEX4 is invoked by the Natural Security RPC logon program after a successful logon of a Natural RPC client to a Natural RPC server. For details, see RPC-Related User Exit in the section User Exits.

Password Change via RPC Service Request - User Exit USR2074N

The Natural user exit USR2074N, contained in the library SYSEXT, allows you to change the user password via a Natural RPC service request.